EUVD-2025-209178

| CVE-2025-66483 MEDIUM
2026-04-01 ibm GHSA-4rp7-5w2x-wwvh
6.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 01, 2026 - 23:16 vuln.today
EUVD ID Assigned
Apr 01, 2026 - 23:16 euvd
EUVD-2025-209178
Patch Released
Apr 01, 2026 - 23:16 nvd
Patch available
CVE Published
Apr 01, 2026 - 22:56 nvd
MEDIUM 6.3

Tags

IBM Information Disclosure

Description

IBM Aspera Shares 1.9.9 through 1.11.0 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.

Analysis

IBM Aspera Shares versions 1.9.9 through 1.11.0 fail to invalidate user sessions following password reset operations, enabling authenticated users to maintain access to compromised accounts and impersonate other users. The vulnerability requires prior authentication and allows limited confidentiality and integrity impact through account takeover. IBM has released a patch to address this session management defect.

Technical Context

The vulnerability stems from improper session handling in IBM Aspera Shares, a file transfer and collaboration platform. After a user resets their password, the application fails to terminate active sessions associated with that account (CWE-613: Insufficient Session Expiration). This is a classic session fixation/persistence flaw where session tokens remain valid despite credential changes. An authenticated attacker who gains knowledge of another user's credentials or who obtains a valid session token before password reset can continue using that session to perform actions as the legitimate user. The affected CPE is cpe:2.3:a:ibm:aspera_shares:*:*:*:*:*:*:*:* for versions 1.9.9 through 1.11.0.

Affected Products

IBM Aspera Shares versions 1.9.9, 1.10.0, 1.10.1, 1.11.0 and all patch levels within the 1.9.9 to 1.11.0 range are affected (CPE: cpe:2.3:a:ibm:aspera_shares:*:*:*:*:*:*:*:*). Deployment environments using Aspera Shares for secure file transfer and collaboration within this version range should be assessed for exposure. See IBM support page at https://www.ibm.com/support/pages/node/7267848 for detailed affected version documentation.

Remediation

IBM has released a patch available through their support portal. Organizations should upgrade IBM Aspera Shares to the patched version specified in the vendor advisory at https://www.ibm.com/support/pages/node/7267848. As an immediate mitigation pending patch deployment, administrators should enforce logout of all active sessions when initiating password resets for user accounts, consider implementing additional session monitoring and re-authentication requirements for sensitive operations, and audit session logs for suspicious cross-user activity patterns that may indicate session hijacking attempts.

Priority Score

32
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +32
POC: 0

Share

EUVD-2025-209178 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy